Episode 13

Show Notes

Overview

This week we look at some details of the 16 unique CVEs addressed across the supported Ubuntu releases and more.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-3816-2] systemd vulnerability

• 3 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2018-15687
  • CVE-2018-15686
  • CVE-2018-6954
• Episode 12 - original fix for CVE-2018-6954 was incomplete - this includes the complete fix
• Also includes an update to avoid a possible hang on shutdown in unattended-upgrades - LP #1803391
  • During shutdown, systemd is already in the process of shutting down
  • Then unattended-upgrades runs and it goes and tries to update systemd - which then tries to reexec it - which blocks waiting for it to finish shutting down
  • Creates a deadlock since systemd is waiting on unattended-upgrades to finish but u-u is waiting on systemd reexec
  • Fix is to not do reexec if systemd is already in the process of stopping

[USN-3825-1, USN-3825-2] mod_perl vulnerability

• 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • CVE-2011-2767
• Old CVE - reported to Debian in 2011, who assigned a CVE internally but didn’t go any further with it
• Recently the original reporter of the vulnerability submitted a patch to Debian to fix it - so vuln was reported to Mitre
• Now fixed in Ubuntu as well

[USN-3801-2] Firefox regressions

• 12 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-12397
  • CVE-2018-12396
  • CVE-2018-12395
  • CVE-2018-12403
  • CVE-2018-12402
  • CVE-2018-12401
  • CVE-2018-12399
  • CVE-2018-12398
  • CVE-2018-12393
  • CVE-2018-12392
  • CVE-2018-12390
  • CVE-2018-12388
• Firefox update (v63) (Episode 9) had some minor regressions
  • These were present in the upstream firefox release itself
• This provides 63.0.3 which contains these fixes from upstream to address the regressions
  • WebGL hangs, slow page loading if using specific proxy settings etc.

Goings on in Ubuntu Security Community

Linux Cryptocoin Malware

• https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/
• Apparently reports of users affected
• Requires SSH to login - bruteforce passwords
  • Use strong passwords / public key auth
• Elevates privileges via two very old CVEs
  • CVE-2016-5195 - Dirty Cow - fixed for Ubuntu in October 2016
  • CVE-2013-2094 - perf root privilege escalation - fixed for Ubuntu in May 2013
• All Ubuntu users are fine unless you are running a old release AND have not been applying security patches
• Please use strong passwords if enabling openssh server

Preview of next episode

Upcoming fixes

• qemu, webkitgtk

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter